Ability to set the Service-Worker-Allowed header
This commit is contained in:
parent
d8860eaee4
commit
133644dfa2
|
@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
|
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
|
||||||
- Ability to set ActivityPub aliases for follower migration.
|
- Ability to set ActivityPub aliases for follower migration.
|
||||||
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
|
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
|
||||||
|
- Ability to set the `Service-Worker-Allowed` header
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>API Changes</summary>
|
<summary>API Changes</summary>
|
||||||
|
|
|
@ -1749,6 +1749,14 @@
|
||||||
type: :string,
|
type: :string,
|
||||||
description: "Adds the specified URL to report-uri and report-to group in CSP header",
|
description: "Adds the specified URL to report-uri and report-to group in CSP header",
|
||||||
suggestions: ["https://example.com/report-uri"]
|
suggestions: ["https://example.com/report-uri"]
|
||||||
|
},
|
||||||
|
%{
|
||||||
|
key: :service_worker_allowed,
|
||||||
|
label: "The Service-Worker-Allowed header",
|
||||||
|
type: :string,
|
||||||
|
description:
|
||||||
|
"Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
|
||||||
|
suggestions: ["/"]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
@ -23,6 +23,7 @@ def call(conn, _options) do
|
||||||
defp headers do
|
defp headers do
|
||||||
referrer_policy = Config.get([:http_security, :referrer_policy])
|
referrer_policy = Config.get([:http_security, :referrer_policy])
|
||||||
report_uri = Config.get([:http_security, :report_uri])
|
report_uri = Config.get([:http_security, :report_uri])
|
||||||
|
service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
|
||||||
|
|
||||||
headers = [
|
headers = [
|
||||||
{"x-xss-protection", "1; mode=block"},
|
{"x-xss-protection", "1; mode=block"},
|
||||||
|
@ -34,6 +35,13 @@ defp headers do
|
||||||
{"content-security-policy", csp_string()}
|
{"content-security-policy", csp_string()}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
headers =
|
||||||
|
if service_worker_allowed do
|
||||||
|
[{"service-worker-allowed", service_worker_allowed} | headers]
|
||||||
|
else
|
||||||
|
headers
|
||||||
|
end
|
||||||
|
|
||||||
if report_uri do
|
if report_uri do
|
||||||
report_group = %{
|
report_group = %{
|
||||||
"group" => "csp-endpoint",
|
"group" => "csp-endpoint",
|
||||||
|
|
|
@ -72,6 +72,14 @@ test "default values for img-src and media-src with disabled media proxy", %{con
|
||||||
assert csp =~ "media-src 'self' https:;"
|
assert csp =~ "media-src 'self' https:;"
|
||||||
assert csp =~ "img-src 'self' data: blob: https:;"
|
assert csp =~ "img-src 'self' data: blob: https:;"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
|
||||||
|
clear_config([:http_security, :enabled], true)
|
||||||
|
clear_config([:http_security, :service_worker_allowed], "/")
|
||||||
|
|
||||||
|
conn = get(conn, "/api/v1/instance")
|
||||||
|
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "img-src and media-src" do
|
describe "img-src and media-src" do
|
||||||
|
|
Loading…
Reference in a new issue